Wildcard subdomain limit

Dears,

My wildcard certificate was working fine with subdomains, but suddenly newly created subdomains are not secured, it gives invalid certificate, however it works fine for previously created instances ?! Is there a limit on subdomains number, like ...

1.my-domain.com
2.my-domain.com
.
.
.
100000.my-domain.com

My domain is: pharmacistplace.com
I ran this command: wildcard
My web server is (include version): Apache2
The operating system my web server runs on is (include version): ubuntu 16.04

2 Likes

Hi @nurhun

checking your domain there is no real problem visible - https://check-your-website.server-daten.de/?q=pharmacistplace.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-11-20 2021-02-18 112233.pharmacistplace.com, 3182020.pharmacistplace.com, 92020.pharmacistplace.com, accountingtest.pharmacistplace.com, ahmedshokry.pharmacistplace.com, citypharmacy.pharmacistplace.com, demo101.pharmacistplace.com, demo102.pharmacistplace.com, demo103.pharmacistplace.com, demo104.pharmacistplace.com, demo105.pharmacistplace.com, demo106.pharmacistplace.com, demo107.pharmacistplace.com, demo108.pharmacistplace.com, demo109.pharmacistplace.com, demo110.pharmacistplace.com, demo201.pharmacistplace.com, demo202.pharmacistplace.com, demo203.pharmacistplace.com, demo204.pharmacistplace.com, demo205.pharmacistplace.com, demo206.pharmacistplace.com, demo207.pharmacistplace.com, demo208.pharmacistplace.com, demo209.pharmacistplace.com, demo210.pharmacistplace.com, dwaa.pharmacistplace.com, faragtest.pharmacistplace.com, final-test-r.pharmacistplace.com, homos2.pharmacistplace.com, ibnsina-demo.pharmacistplace.com, inventorytest.pharmacistplace.com, inventory-test-upload.pharmacistplace.com, m-salah.pharmacistplace.com, osama.atef.pharmacistplace.com, pharmacistplace.com, phms1.pharmacistplace.com, postest18-10-2020.pharmacistplace.com, r23.pharmacistplace.com, sales2.pharmacistplace.com, sdferdg.pharmacistplace.com, sdffhjytr.pharmacistplace.com, sdfsdghg.pharmacistplace.com, test.pharmacistplace.com, test2r.pharmacistplace.com, wevfgdfgetg.pharmacistplace.com 46 entries
Let's Encrypt Authority X3 2020-11-19 2021-02-17 112233.pharmacistplace.com, 3182020.pharmacistplace.com, 92020.pharmacistplace.com, accountingtest.pharmacistplace.com, ahmedshokry.pharmacistplace.com, citypharmacy.pharmacistplace.com, demo101.pharmacistplace.com, demo102.pharmacistplace.com, demo103.pharmacistplace.com, demo104.pharmacistplace.com, demo105.pharmacistplace.com, demo106.pharmacistplace.com, demo107.pharmacistplace.com, demo108.pharmacistplace.com, demo109.pharmacistplace.com, demo110.pharmacistplace.com, demo201.pharmacistplace.com, demo202.pharmacistplace.com, demo203.pharmacistplace.com, demo204.pharmacistplace.com, demo205.pharmacistplace.com, demo206.pharmacistplace.com, demo207.pharmacistplace.com, demo208.pharmacistplace.com, demo209.pharmacistplace.com, demo210.pharmacistplace.com, dwaa.pharmacistplace.com, faragtest.pharmacistplace.com, final-test-r.pharmacistplace.com, homos2.pharmacistplace.com, ibnsina-demo.pharmacistplace.com, inventorytest.pharmacistplace.com, inventory-test-upload.pharmacistplace.com, m-salah.pharmacistplace.com, osama.atef.pharmacistplace.com, pharmacistplace.com, phms1.pharmacistplace.com, postest18-10-2020.pharmacistplace.com, r23.pharmacistplace.com, sales2.pharmacistplace.com, sdferdg.pharmacistplace.com, sdffhjytr.pharmacistplace.com, sdfsdghg.pharmacistplace.com, test.pharmacistplace.com, test2r.pharmacistplace.com, wevfgdfgetg.pharmacistplace.com 46 entries
Let's Encrypt Authority X3 2020-08-30 2020-11-28 *.pharmacistplace.com, pharmacistplace.com
2 entries
Let's Encrypt Authority X3 2020-08-30 2020-11-28 *.pharmacistplace.com, pharmacistplace.com
2 entries

Two older certificates with 46 domain names. There is a 100 names limit, so that's not a problem.

TXT entries are good.

Your exact command and error message is required.

4 Likes

A wildcard certificate does have a few technical limits, but within those limits, there are no limits to how many label variants the certificate is valid. Here are the technical constraints: the wildcard is only valid for one DNS label. I.e., *.example.com is valid for foo.example.com but not for bar.foo.example.com, as the latter hostname has two labels on the position of the wildcard. The wildcard can only be the upmost left DNS label. I.e., *.foo.example.com is fine, but bar.*.example.com is not.

4 Likes

Thanks ... bur actually I'm using I label as a subdomain and issue happened.

1 Like

Thank you for the detailed check .. could you check testing.pharmacistplace.com ? It's even not listed here ?

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Then you let that wildcard certificate expire a month ago...

3 Likes

the "testing" subdomain is not listed on the certificate being served currently.
you could --expand the certificate or go back to a VALID wildcard certificate.
Might be your best option if your subdomains are frequently changing.

3 Likes

Here's the cert you're serving:


As you can see, it isn't a wildcard. If you want a cert to act like a wildcard cert, it needs to be a wildcard cert.

5 Likes

The test tool is online, use it.

That's one reason I've created that tool: That other users can test their domain.

A "hidden tool" wouldn't be helpful.

4 Likes

That's exactly what happened, when expired month ago, I ran only "certbot --apache", I only reinstalled the main domain not the wildcard !!

Then, now I'm trying to get a wildcard cert using below but it's not working, any ideas ?!

certbot -d pharmacistplace.com -d *.pharmacistplace.com --preferred-challenges=dns --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

2 Likes

You can't use dns validation with Apache.

Your Apache doesn't know something about your dns configuration.

Wildcard -> dns validation -> no webserver validation.

Read

3 Likes

Then, I have to verify it manually ?!

certbot certonly --manual ?

2 Likes

If your dns provider doesn't have a supported API, yes.

Check acme.sh, there are more APIs supported.

3 Likes

Solved manually, thanks.

Now for the 100 subdomain limit, is there any way to expand this limit, even paid ?!

2 Likes

No.   

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.